Use integrated identity information to create and manage identities and control access to enterprise resources. We provide identity and access management, single sign–on (SSO), access governance, and more.

Detect and respond to all potential threats quickly and decisively. By monitoring user activities, security events, and critical systems, we provide actionable security intelligence to reduce the risk of data breach.

Get affordable, high-performance disaster recovery. We protect your workloads and help you meet or exceed RPOs and RTOs of an hour or less, with mirroring-like performance at a price point approaching tape.

Novell SSL VPN is a VPN gateway whose design is based on the popular technology used in web commerce sites to protect confidential transactions. This technology is customized to protect corporate networks just like traditional VPN systems do. SSL VPN simplifies the user experience and eases the client management problem by letting the users to connect to the VPN gateway through a simple web browser.

SSL VPN is a gateway and is deployed in the organization perimeter boundary. Administrators must take the utmost care to provide high protection for this server from unwanted intrusions, because compromising this system leads to possible attacks to the production servers in the DMZ as well as internal networks. The Novell SSL VPN gateway is designed and deployed as a software appliance. It is mandatory for security administrators to lock down the base operating system on which they want to deploy the SSL VPN services.

As a good protection mechanism, it is recommended to place the SSL VPN gateway behind your corporate firewall and open only the necessary ports in the firewall. Apart from this, it is also a good practice to lock down a Linux server by configuring built-in packet filters. This document provides a step-by-step guide to configure the SUSE Firewall with the required packet filters and optional NAT rules.

Deployment Setup

The Novell Access Manager suite comes with the following three major components:

Identity Server

Access Gateway

SSL VPN

You would require at least three machines to setup a simple deployment. The sample deployment is shown in Figure 1:

It is recommended you deploy a secondary firewall between the SSL VPN Server, other servers, and the internal network. That way you can configure services, such as SSH, HTTP, and SMTP, that will be used by the remote users in the secondary firewall.

Open Ports for SSL VPN

The SSL VPN gateway requires the following ports to be opened in the firewall:

Port

Required For

Local/ External/ Internal

Description

TCP 8080

Access Gateway

External

Allows the Access Gateway to accelerate SSL VPN server and to enable other communications

TCP 8443

Access Gateway

External

Allows access gateway to accelerate the SSL VPN server. It also allows other communication if a secure communication is enabled between the Access Gateway and the SSL VPN server.

TCP 2010

Socks Server

Local

Allows communication between the internal components of the SSL VPN Server

TCP 7777 and TCP 7778

Client (Kiosk mode and Enterprise Mode)

External

Secure port on which primary communications happen between the client and the server

Routing for SSL VPN

Novell SSL VPN protects communication between the remote client and the SSL VPN server. It forwards the traffic to internal hosts. The internal hosts must route the reply to remote clients through the SSL VPN Gateway. Therefore, it is essential that you add the necessary routing infrastructure to your network.

The remote clients are addressed by the IP addresses specified in the IP address pool configured in the Administration console. There are two ways to configure the routing, as described below.

Configuring Routes in Routers

You can add static routes in the routers between the hosts and the SSL VPN gateway. These routes should specify how to reach the remote clients, and these routes should point to the SSL VPN Gateway. The subnet for the SSL VPN Gateway clients should be same as the one configured in the Administration Console.

Adding NAT Rules

By configuring NAT rules, you can restrict the visibility of the new subnet configured in Gateway configuration only to SSL VPN server. You do not have to modify routing tables. However, some applications that require a connect back cannot function with this approach. For a quick deployment, this approach can be done easily. For this to work, you need a masquerading rule to iptables, such as with the following command:

Configuring SUSE Firewall for SSL VPN

3. Select the Reconfigure Firewall Settings option, then tab to Next and click it.

4. Configure the interfaces as follows:

Figure 3 – Basic firewall configuration, step 1 of 4

External Interface: Enter the interface which is facing the internet in the top most list box.

Internal Interface: Enter the private internal interfaces or DMZ interfaces in the bottom list box. You can specify multiple interfaces separated by spaces. Make sure that you enter the tun0 and tun1 devices names in the list. This interface will not be present if SSL VPN is not running; however, you still need to enter the interface. You can configure this interface name in /etc/opt/novell/sslvpn/openvpn-server.conf.tmpl by changing tun to tun0 or any other name starting with tun. Then, tab to Next.

Next, you need to configure the allowed services.

Figure 2 – Basic firewall configuration, step 2 of 4

5. Select check boxes for HTTP and HTTPS. These services should be running.

6. Click the Expert option.

7. Enter the ports specified in the above section to be allowed. These ports needs to be opened for SSL VPN operation.

Figure 4 – Basic firewall configuration, step 3 of 4

If you are running SSL VPN along with Linux Access Gateway, you need to open port 80. For more information on or other ports that need to be open for Linux Access Gateway, refer to the Novell Access Manager 3.0 Administration Guide.

8. Press Tab to OK, then click OK and click Next.

Do the other configurations as follows:

Figure 5 – Basic firewall configuration, step 4 of 4

9. Select “Forward Traffic and Do Masquerading”

Selecting this option turns on ip_forward and adds a default NAT rule to the iptables. In our example deployment, we need to masquerade only packets coming from the subnet that we configured in the Administration Console. This adds a level of security, so it is suggested to turn off this option and only allow IP Forwarding by changing the following line in /etc/sysconfig/SuSEfirewall2
FW_ROUTE=”” to FW_ROUTE=”yes”

NOTE: When the SUSE Firewall is running, it supersedes the ip_forward option set in /etc/sysctl.conf. ISSL VPN requires ip_forward to be enabled.

10. Select “Protect from Internal network” if you plan to deny internal connections also. In this case, you need specify additional services or pots in the previous configuration.

11. Select “Protect all network services”.

12. Deselect “Allow Traceroute” if you do not want to allow trace route.

13. Select “Treat IPSec traffic as internal” if you want to treat IPSec traffic as internal.

14. Click Next.

Now your system is protected by the SUSE Firewall.

Additional Configuration

You can add the following additional configurations if required. There is no interface in Yast to change these settings. You must edit the files directly as explained below.

Adding NAT Rules

If you are going to use NAT based routing approach specified above, then follow these steps:

1. Edit the file /etc/sysconfig/SuSEfirewall2 and change the following line:

FW_CUSTOMRULES=""

to

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

2. Open the /etc/sysconfig/scripts/SuSEfirewall2-custom file in an editor.

3. Add the following lines under the sections fw_custom_before_denyall and fw_custom_before_masq

The Enterprise mode of SSL VPN allows you to configure SSL VPN tunneling in order to use UDP as secure medium of communication between client and the SSL VPN Gateway. In that case, you must allow the configured UDP port via the firewall by changing the following line:

FW_SERVICES_INT_UDP=??

to

FW_SERVICES_INT_UDP=?7777?

The example above assumes that 7777 is configured as the port for encryption.

(0 votes, average: 0.00 out of 5)You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.